From 545d426bd3eb459ac1be0d478f1a89ed51e38669 Mon Sep 17 00:00:00 2001
From: vincent <vincent@ducamps.win>
Date: Sun, 27 Nov 2022 15:25:26 +0100
Subject: [PATCH] feat: vault secret in droneCI

---
 nomad-job/drone-runner.nomad | 48 +++++++++++++++++++++
 nomad-job/drone.nomad        | 81 ++++++++++++------------------------
 vault/approle.tf             | 31 ++++++++++++++
 3 files changed, 106 insertions(+), 54 deletions(-)
 create mode 100644 nomad-job/drone-runner.nomad
 create mode 100644 vault/approle.tf

diff --git a/nomad-job/drone-runner.nomad b/nomad-job/drone-runner.nomad
new file mode 100644
index 0000000..ce90f84
--- /dev/null
+++ b/nomad-job/drone-runner.nomad
@@ -0,0 +1,48 @@
+
+job "drone-runner" {
+  datacenters = ["homelab"]
+  priority = 50
+  type = "system"
+  meta {
+    forcedeploy = "0"
+  }
+
+  group "drone-runner"{
+    vault{
+      policies= ["droneci"]
+
+    }
+  
+    task "drone-runner" {
+      driver = "docker"
+      config {
+        image = "drone/drone-runner-docker:latest"
+        volumes = [
+          "/var/run/docker.sock:/var/run/docker.sock",
+        ]
+      }
+      env {
+
+      }
+      template {
+        data        = <<EOH
+          {{ with secret "secrets/data/nomad/droneCI"}}
+          DRONE_RPC_HOST="drone.ducamps.win"
+          DRONE_RPC_PROTO="https"
+          DRONE_RPC_SECRET= "{{ .Data.data.DRONE_RPC_SECRET}}"
+          DRONE_SECRET_PLUGIN_TOKEN={{ .Data.data.DRONE_VAULT_SECRET}}
+          {{ end }}
+          {{- range service "drone-vault" }}
+          DRONE_SECRET_PLUGIN_ENDPOINT=http://{{ .Address }}:{{ .Port }}
+          {{- end}}
+          EOH
+        destination = "local/drone-runner.env"
+        env         = true
+      }
+      resources {
+        memory = 50
+      }
+    }
+
+  }
+}
diff --git a/nomad-job/drone.nomad b/nomad-job/drone.nomad
index 491f9f4..03f5f98 100644
--- a/nomad-job/drone.nomad
+++ b/nomad-job/drone.nomad
@@ -12,6 +12,9 @@ job "drone" {
       port "http" {
         to = 80
       }
+      port "vault" {
+
+      }
     }
     constraint {
       attribute = "${attr.cpu.arch}"
@@ -66,73 +69,43 @@ job "drone" {
           DRONE_DATABASE_DATASOURCE="postgres://drone:{{ .Data.data.password }}@db1.ducamps.win:5432/drone?sslmode=disable"
           {{end}}
           EOH
-        destination = "local/drone.env"
+        destination = "secrets/drone.env"
         env         = true
       }
       resources {
         memory = 100
       }
     }
-
-    task "drone-runner" {
+    task "vault" {
       driver = "docker"
-      config {
-        image = "drone/drone-runner-docker:latest"
-        volumes = [
-          "/var/run/docker.sock:/var/run/docker.sock",
-        ]
+      service {
+        name = "drone-vault"
+        port = "vault"
       }
-      env {
-
+      config {
+        ports = ["vault"]
+        image = "drone/vault:latest"
       }
       template {
-        data        = <<EOH
-          {{ with secret "secrets/data/nomad/droneCI"}}
-          DRONE_RPC_HOST="drone.ducamps.win"
-          DRONE_RPC_PROTO="https"
-          DRONE_RPC_SECRET= "{{ .Data.data.DRONE_RPC_SECRET}}"
-          {{ end }}
-          EOH
-        destination = "local/drone-runner.env"
-        env         = true
-      }
-      resources {
-        memory = 50
-      }
-    }
+        data= <<EOH
+        DRONE_DEBUG=true
+        {{ with secret "secrets/data/nomad/droneCI"}}
+        DRONE_SECRET= {{ .Data.data.DRONE_VAULT_SECRET}}
+        VAULT_APPROLE_ID=  {{ .Data.data.approleID}}
+        VAULT_APPROLE_SECRET=  {{ .Data.data.approleSecretID}}
 
-  }
-  group "Drone-ARM-Runner" {
-    constraint {
-      attribute = "${attr.cpu.arch}"
-      value     = "arm"
-    }
-    task "drone-ARM-runner" {
-      driver = "docker"
-      config {
-        image = "drone/drone-runner-docker:1.8.2-linux-arm"
-        volumes = [
-          "/var/run/docker.sock:/var/run/docker.sock",
-        ]
-      }
-      env {
+        {{end}}
+        VAULT_ADDR=http://active.vault.service.consul:8200
+        VAULT_AUTH_TYPE=approle
+        VAULT_TOKEN_TTL=72h
+        VAULT_TOKEN_RENEWAL=24h
+        EOH
+        destination = "secrets/drone-vault.env"
+        env = true
 
       }
-      template {
-        data        = <<EOH
-          {{ with secret "secrets/data/nomad/droneCI"}}
-          DRONE_RPC_HOST="drone.ducamps.win"
-          DRONE_RPC_PROTO="https"
-          DRONE_RPC_SECRET= "{{ .Data.data.DRONE_RPC_SECRET}}"
-          {{ end }}
-          EOH
-        destination = "local/drone-runner.env"
-        env         = true
-      }
-      resources {
-        memory = 50
-      }
-    }
 
+
+    }
   }
 }
diff --git a/vault/approle.tf b/vault/approle.tf
new file mode 100644
index 0000000..637e766
--- /dev/null
+++ b/vault/approle.tf
@@ -0,0 +1,31 @@
+resource "vault_auth_backend" "approle" {
+  type = "approle"
+}
+
+resource "vault_approle_auth_backend_role" "drone-vault" {
+  backend        = vault_auth_backend.approle.path
+  role_name      = "drone-vault"
+  token_policies = ["drone-vault"]
+}
+
+
+data "vault_approle_auth_backend_role_id" "drone-vault" {
+    backend   = vault_auth_backend.approle.path
+    role_name = vault_approle_auth_backend_role.drone-vault.role_name
+}
+output "drone-vault-role-id" {
+      value = data.vault_approle_auth_backend_role_id.drone-vault.role_id
+}
+
+data "vault_policy_document" "drone-vault" {
+  rule {
+      path = "secrets/data/droneCI/*"
+      capabilities = ["read", "list"]
+   }
+
+}
+
+resource "vault_policy" "drone-vault" {
+    name = "drone-vault"
+    policy = data.vault_policy_document.nomad_server_policy.hcl
+}